URL: https://github.com/freeipa/freeipa/pull/5138
Author: tiran
Title: #5138: [Backport][ipa-4-8] Delay import of psutil to avoid AVC
Action: opened
PR body:
"""
This PR was opened automatically because PR #5132 was pushed to master and
backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5138/head:pr5138
git checkout pr5138
From 27ef9dc101ab3e37c1390b83c9459d78dc937779 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Wed, 23 Sep 2020 08:46:44 +0200
Subject: [PATCH] Delay import of psutil to avoid AVC
Commit cfad7af35dd5a2cdd4081d1e9ac7c245f47f1dce added a check to ensure a
system has sufficient amount of memory. The feature uses psutil to get
available memory. On import psutil opens files in /proc which can result in
an SELinux violations and Python exception.
PermissionError: [Errno 13] Permission denied: '/proc/stat'
Fixes: https://pagure.io/freeipa/issue/8512
Signed-off-by: Christian Heimes <chei...@redhat.com>
---
ipaserver/install/installutils.py | 4 +++-
ipaserver/plugins/join.py | 4 ++--
ipaserver/setup.py | 1 +
3 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 0e304a490a..fcf8501a6e 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -29,7 +29,6 @@
import os
import re
import fileinput
-import psutil
import sys
import tempfile
import shutil
@@ -1047,6 +1046,9 @@ def check_available_memory(ca=False):
"Unable to determine the amount of available RAM"
)
else:
+ # delay import of psutil. On import it opens files in /proc and
+ # can trigger a SELinux violation.
+ import psutil
available = psutil.virtual_memory().available
logger.debug("Available memory is %sB", available)
if available < minimum_suggested:
diff --git a/ipaserver/plugins/join.py b/ipaserver/plugins/join.py
index eb0d309ac4..fa9a43b583 100644
--- a/ipaserver/plugins/join.py
+++ b/ipaserver/plugins/join.py
@@ -25,7 +25,7 @@
from ipalib import Command, Str
from ipalib import errors
from ipalib import _
-from ipaserver.install import installutils
+from ipalib.constants import FQDN
__doc__ = _("""
Joining an IPA domain
@@ -60,7 +60,7 @@ class join(Command):
validate_host,
cli_name='hostname',
doc=_("The hostname to register as"),
- default_from=lambda: unicode(installutils.get_fqdn()),
+ default_from=lambda: FQDN,
autofill=True,
#normalizer=lamda value: value.lower(),
),
diff --git a/ipaserver/setup.py b/ipaserver/setup.py
index 5d4bf0895f..ff9cd81a7a 100644
--- a/ipaserver/setup.py
+++ b/ipaserver/setup.py
@@ -59,6 +59,7 @@
"jwcrypto",
"lxml",
"netaddr",
+ "psutil",
"pyasn1",
"requests",
"six",
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
